Is Zero Trust a model for effective and efficient security?
We are adding a third blog post in the series of Prevention, Detection, and Recovery from Cyberattacks. In today’s blog, we want to explore the concept of ZERO TRUST.
The fifth annual Cyber Resilient Organization Report noted that most organizations surveyed (74%) are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all.
The use of cloud, the combination of on-premises, and cloud applications allow the user to access the application from BYOD devices around the world. There is a high risk of data breaches, with business operations changing rapidly due to an increasingly remote workforce and new attack techniques. The data suggest that surveyed businesses may be relying on outdated response plans which do not reflect the current threat and business landscape.
What is a Zero Trust?
The cyber-attacks are becoming more sophisticated, and the hackers continue to take advantage of advanced technology as much as any legitimate business. The security attitudes and protocols are also evolving and adapting in response. Some security professionals believe a tougher approach is best when it comes to overly sensitive environments.
Zero trust security is about not trusting the assets in the environment. It is a security model where, by default, no user or device is trusted inside or outside of the network. And it must verify anything trying to connect to its systems before granting access.
Is Zero Trust a model for effective and efficient security?
The traditional security focus is on perimeter security though there has been increased awareness and security measures in place for insider threats. After the perimeter security is breached hackers cause more damage by using the credentials of the users who almost have access to every system in the environment. This is because of more trust placed on the internal users. Hence there is a call for a security model “Zero Trust” based on the principle of maintaining strict access controls and not trusting anyone by default, even those inside the network perimeter.
What technologies support Zero Trust?
The July 2020 article in Forbes “14 Tech Experts Explain How to Successfully Adopt Zero Trust” provides the following tips for companies looking to successfully adopt Zero Trust security.
· Utilize people with the appropriate skills
- Treat everything as a potential threat
- Use software or services to uncover vulnerabilities
- Support your dev-ops
- Return to your security principles
- Create a zero-trust process
- Properly implement and manage IAM practices
- Focus on bite-sized tasks
- Implement micro-segmentation
- Use cloud-based APIs
- Create a solid cyber policy
- Invest in an IAM tool
- Focus on user education and adoption
- Integrate zero trust into your company culture
The article states that implementing a zero-trust regimen is daunting because the organizations are scrutinizing the moving parts inside a network for potential threats, but it’s not as hard as it sounds. The suggestion is to start by slicing the project into bite-size pieces. The Zero Trust implementation is not just the technology but process and culture too. The process involves implementing micro-segmentation and making sure that the security zones are broken up into smaller areas and that each one of them requires a separate sign-in and two-factor authentication process. The more segments there are, the more secure and in-order the system is going to be. The Zero Trust uses technologies such as IAM, net-gen firewalls, multifactor authentication, encryption, security orchestration, and file system permissions.
What organizations are doing about Zero Trust? Many organizations have multifactor authentication, IAM, upgrading firewalls to next-gen as well as implementing micro-segmentation for privileged and sensitive data access. The organizations in the cloud have flexibility compare to those with legacy systems. Implementing Zero Trust is an ongoing effort that needs to be driven by strategy. The organization will need a strategy in place before integrating different technologies. The security culture and training will be a major part of the Zero Trust process.